Todd Lipcon has posted comments on this change. Change subject: security: generate certs on the tserver, sign them on the master ......................................................................
Patch Set 2: (3 comments) http://gerrit.cloudera.org:8080/#/c/5766/2/src/kudu/master/master.proto File src/kudu/master/master.proto: Line 257: optional bytes csr_der = 5; > Why not to depend on security_ca.proto and use X509CsrPB here instead? For this use case, I don't think we gain much from the flexibility of having the PEM vs DER as an option, so i was following the KISS principle of just sending a string http://gerrit.cloudera.org:8080/#/c/5766/2/src/kudu/tserver/tablet_server.h File src/kudu/tserver/tablet_server.h: Line 108: std::unique_ptr<TSCertManager> cert_manager_; > Probably, in case of non-TLS case, it's just a wrapper around nil? also allows just forward declaration here, which improves compile time (and the "cost" of the pointer indirection isn't substantial for this path) http://gerrit.cloudera.org:8080/#/c/5766/2/src/kudu/tserver/ts_cert_manager.cc File src/kudu/tserver/ts_cert_manager.cc: Line 61: // TODO(aserbin): do these fields actually have to be set? > ok, I'll take a look. Basically, I just need to make sure whether we are l got it. Even hostname I'm not 100% sure it's necessary for our use case, since we can check against the uuid matching, no? will have to see how the TLS client can be configured. -- To view, visit http://gerrit.cloudera.org:8080/5766 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I3eb8ab4edc17e2fa1a54e0123a06dabc59a0489b Gerrit-PatchSet: 2 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd Lipcon <t...@apache.org> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-HasComments: Yes
